Remote Code Execution (RCE) via the Theme Editor [Academy]

The web shell has been loaded into an inactive theme and is working with commands like “ls” and “id”. I am having a problem finding the flag.txt in the directory specified in the question: “Once you have access to the target, obtain the contents of the “flag.txt” file in the home directory for the “wp-user” directory.” My question is: 1.) can you Pipe or otherwise “string” commands together with curl? Just cannot seem to locate this flag and don’t know where to start looking. Using something like $home does not seem to help.

Nevermind found it :slight_smile:

For others: all you need is echo and the correct directory :+1:

I’ve been trying to figure this one out but have been stuck for 2 days now -
Is the goal to use curl via cli and grab the contents of the /home/htb-###/flag.txt file or do you need to modify the php code in the 404.php file to execute the command?

I’ve googled how to use curl to get the contents of a file but nothings specific enough comes up.

Any hints would be grateful!


Can anyone poke me in the right direction? Having trouble to cat the flag too.

Echo was a realy good Hint

Cat will work too. However dont forget to use the “code” for a space in a url.
Hint: it starts with a %